FICO nixes NAC number-fixing claims on retail ATM compromise
On April 6, the National ATM Council published its rejoinder to a FICO report that nonbank ATMs were again the largest source of card compromise in the United States in 2016.
This year's statistics showed improvement over the previous year — 60 percent in 2016 compared with 64 percent in 2015.
Nevertheless, NAC went on the warpath just as it did when last year's results were announced.
In its two-page rebuttal to the FICO findings, NAC raised five points questioning the veracity — and even the intent — of FICO's report.
ATM Marketplace will offer its take on the matter in an upcoming blog. But first, we wanted to find out what FICO had to say about this year's NAC attack on the numbers.
We put five questions to T.J. Horan, vice president of fraud solutions at FICO, addressing head-on NAC's five key points. Following are excerpts from the NAC memo, as well as ATM Marketplace's questions about those points, and Horan's emailed responses to our questions:
NAC Attack No. 1
"The truth is that some of the largest owners of FICO are the big banks themselves. This fact makes FICO's data/findings, purporting to show more card fraud at non-bank ATMs versus bank ATMs, highly suspect and apparently designed to scare consumers away from using retail ATMs, in favor of using bank machines."
ATM: NAC claims that FICO stats on U.S. card compromise and/or fraud at ATMs are "highly suspect" because FICO is owned largely by big banks. How does FICO arrive at its fraud numbers?
TJH: The data we shared is actual data analyzed by FICO Card Alert Services, which monitors over two-thirds of ATM activity in the U.S. every day, and analyzes compromise activity for hundreds of thousands of nonbanking ATMs, banking ATMs and merchant POS machines.
We are not owned by banks — we are a public company and none of our major shareholders is a bank. Banks in the U.S. use FICO products and services, but so do credit unions, retailers and other companies, big and small.
NAC Attack No. 2
" ... This false picture would appear to be aimed at skewing public opinion toward irrationally fearing use of retail ATM terminals. Given the fact that hundreds of millions of dollars in FICO stock is owned by the nation's largest banks — and those big national banks' networks of ATMs compete with the ATMs provided by independent ATM companies — this skewing of the 'report' starts to make sense. This treatment is consistent, for instance, with the egregious penalties the big banks impose upon their own card holders each time they are disloyal and use a competitor's ATM."
ATM: NAC claims that big banks (and FICO) are trying to scare the public into avoiding retail ATMs and using bank ATMs instead. Is that what is happening?
TJH: No; this is absolutely false. We are just reporting data, not trying to get anyone to use different ATMs.
NAC Attack No. 3
"FICO's 'report' refers throughout to card 'compromises' but never once defines to what, exactly, this term is referring — leaving an impression that it is referencing skimming incidents, where the card data is actually stolen. However, based upon all the real world information available to NAC, including FICO's own description of its services, 'compromise' must instead be referencing the USE of cloned/counterfeit cards at retail ATMs — NOT the skimming theft of the card data. This is a big distinction, with a big difference.
ATM: NAC claims that FICO uses the term "card compromise" in reference to both card skimming and counterfeit card use. What is FICO's definition of card compromise?
TJH: In our reported numbers, when we refer to a compromise, we refer to an ATM or merchant device where card information has been stolen. We are not talking about the use of those compromised cards. The FICO Card Alert Service is designed to identify which cards may have been compromised and alert the financial institutions so they can take action to prevent fraudulent card use.
NAC Attack No. 4
"The reality is that retail ATMs are the least likely place for consumers to have their card information stolen — or as it is known in the business 'skimmed.' They are much more likely to run into a skimming device and have their card data 'compromised' at an unattended bank ATM than at an attended in-store retail ATM. Outdoor, on-premises bank ATMs have much higher transaction volumes — which, together with their being typically left unattended and out of site [sic] of bank personnel — make them the perennial targets of choice for card/PIN data theft."
ATM: NAC claims that retail ATMs are the least likely place for card skimming, and says that cardholders are more likely to have their card skimmed at an unattended bank ATM. Is this true?
TJH: According to our data, a higher percentage of compromises in 2016 took place at ATMs that are not at banks.
NAC Attack No. 5
"When you start at zero (which is where card skimming at retail ATMs stood historically) — any future incidences will represent a 'huge' percentage increase — while the absolute number of incidences remains very, very low. In this light, when it comes to card skimming, NAC is confident that retail ATMs remain at far lower risk of skimming than the unattended and much higher volume bank ATMs."
ATM: NAC complains that FICO cited percentages in its press release but did not provide real numbers from which they were derived. They point out that a change from zero compromises to one compromise would be a 100 percent increase. Can you address this complaint?
TJH: Our contracts don’t allow us to share the hard numbers. However, we can say that NAC is right in its claim that the vast majority of ATMs did not suffer a compromise last year. A very small percentage of ATMs are compromised each year. We never said that most ATMs were compromised, and we certainly didn’t mean for anyone to rush to that conclusion.
Fraud is still a fairly rare problem, but the losses can be significant and the pain of a consumer who has suffered losses is significant. Should consumers know about a sharp rise in ATM compromises? We believe so, and we believe the sensible steps we provided are a good way for people to protect themselves.
Suzanne Cluckey / Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally. She is now the editor of ATMmarketplace.com and BlockChainTechNews.com